0% found this document useful (0 votes)
27 views6 pages

Basic and Advanced API Test Cases

Uploaded by

Rohit Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
27 views6 pages

Basic and Advanced API Test Cases

Uploaded by

Rohit Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Sr No.

Checklist Point
1 Host header onfiguration or Host header should be implemented properly
2 X-Rate-Limit and X-Rate-Limit-Remaning headers should be configured
3 Url tampering should not be allowed
4 Authentication Bypass should not be allowed
5 Insecure direct object references should be blocked

Eg: url is https://abc.com/id=1


If I change id to '2' it should not render details of other users or id=2

6 Clear text sumission of password and other PII data should not be allowed
7 Usage of easily decodable encoding like url encoding or base64 encoding should be prevented
8 Same password should not be reused for other users
9 Whitelist allowable methods

Methods like PUT, DELETE, OPTIONS, TRACE, HEAD should be disabled


No PII data or session token should be transmitted using GET Method

10 Input validation should be enforced


11 Amount based paramter check for amount limit range should be configured
12 Null parameters should not be used
13 Frameworks or libraries with reported CVEs should not be used
14 Weak Ciphers should not be configured - do a scan on https://www.ssllabs.com/ssltest/
15 API should not open on port 80 i.e http
16 All PII Data must be encrypted
17 Improper Error Handling should not be done

All pages should give either 200 or 404 error codes


201,400,403,405,411,501,503 error codes or version disclosure should not be present

18 Check all input fields to protect from SQL Injection


19 Configure the below if file upload is present:

1.Server Side Validation. Have a server side validation routine which performs filtering based on:
a.File extensions
b.Content-Types
c.Magic Numbers
d.File Size.
2.Strongly Validate user input.
3.Check user supplied files or filenames.
4.Check for File extensions and allow only permitted file extensions eg: jpg or png.
5.Do not keep uploaded file under directories that have execute permissions.
7.Install antivirus that detects any malicious file uploaded, in such case discard or delete the file
and do not save it in computer system.
8. Double extensions or null bytes should not be permitted.

20 Bruteforcing should not be allowed


21 Enumeration should not be allowed

Eg: If you enter correct username and wrong password, error should be invalid credentials and not
incorrect password entered
22 Below HTTP Headers should be configured:

X-XSS-Protection
X-Content-Type-Options
Access-Control-Allow-Origin

23 Below Cache Control Headers should be configured:

Cache-control: no-store
Pragma: no-cache

24 If session is maintained, below cookie attributes need to be set:

HTTPOnly
Samesite(strict or lax)
Secure
Domain
Path
Yes/No
Sr. No. Test Case/ Attack Name
1 XML Injection

2 XPATH Injection

3 Check for XML external Entity Attack(XXE)-(NOTE:-


Possible only in SOAP Web Services)
4 Malformed XML Schema

5 Check for random token, If the Web service is


invoked from a server directly

6 Check for whitelisting if the web service is invoked


from a server directrly
7 Check for parameter manipulation(Parameters that
are passes in web services)
8 Check for privilege escalation attack

9 WDSL rendering

10 Check for the SSL certificate related checks

11 Check for SQL injection (DB error in responses)on


parameters passed in web services
12 Check for Blind SQL injection on parameters passed
in web services
13 Check for Cross site scripting-XSS(any reflection in
responses)(Possible only in case web service getting
invoked from an application)
14 Check for All password related attacks if web service
is used for login (scenario based)

15 Check for strong encryption on sensitive data


16 Check for Sensitive data in responses
17 SOAPAction Spoofing
18 XML Attribute Count Attack
19 SOAP ARRAY Attack
Details Yes/No
Kindly refer below Link for the same:
https://www.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008)
Kindly refer this for XPATH INJECTION-----https://www.owasp.org/index.php/XPATH_Injection

Please refer this -https://www.gracefulsecurity.com/xxe-cheatsheet/

Tamper the XML schema/ add xml tags/remove xml tags, and check whether the server accepts
it.
Check for a implementation of a Random token if a server directlty invokes a web service.
Checks to be performed:
Randomness of the token,
Validation of token on the server side,
Reuse of previously assigned token.

If a web server directly calls a web service then the server's IP address should be whitelisted

Check for retrieval of data by parameter tempering/alteration

If an web service is intended for a high privilege user, then try to access the same with a low
privilege login
A user should not be able to view the schema/ xml format of the web service, you can check this
by appending "?wsdl "to the url of the web service
Check for vulnerabilities related to SSL like BEAST, CRIME, POODLE etc. also check for weak
ciphers and self signed certificates
Check for any ora error or any db related error or any such instance that indicate sql injection
possibilities
Check for non error based sql injection like '+'and '||'operators and true false conditions

Check for reflection of string from request getting reflected in responses, and special characters
getting reflected without getting escaping like &lt &gt

If the web service is used for login, or login feature is implemented then check for all password
related attacks like:
Password replay
Password Policy
Password verifictaion at server end
Partial/Blank password etc.

Try attacks like Replaying the same encrypted value.


Check for HTTP headers or any other sensitive info in responses
http://www.ws-attacks.org/SOAPAction_Spoofing
http://www.ws-attacks.org/Oversized_XML_attack
http://www.ws-attacks.org/Soap_Array_Attack

You might also like